What’s the absolute worst part of the Internet? Reasonable folks may disagree, but most would say keeping track of an endless string of passwords ranks somewhere at the top.

Nobody, of course, can remember a unique password for the dozens of sites we each sign into each day, so we end up using the same one over and over again. But as recent breaches of high-profile websites like LinkedIn and Gawker show, this practice makes us increasingly vulnerable to hackers who can find valuable passwords for our bank accounts and e-mail by breaking into other less secure sites.

This is why a consortium of tech companies, including PayPal and Google, have joined together to dream up the future of passwords. And the future, according to this FIDO Alliance (which stands for Fast Identity Online) is to have no passwords at all. “Passwords are just not working terribly well anymore,” says Michael Barrett, chief information-security officer of PayPal and president of FIDO. “And they’re starting to impede the development of the Internet ecosystem.”

A recent study released by Nok Nok shows just how bad many of us are at protecting our online identities. On average, it says, an Internet user has 6.5 passwords, and they share one password between 3.9 websites.

Furthermore, ever growing computer power is causing even safe passwords to be vulnerable. According to a report released earlier this year from consulting firm Deloitte, more than 90% of user-generated passwords are “vulnerable to hacking.” Reads the report:

“Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form … So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware … can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.”

Barrett says that the failure of the password system isn’t an immediate crisis for Silicon Valley, especially for companies that have the wherewithal to invest in robust security systems. But if the problem keeps getting worse, it will begin to erode people’s confidence in online commerce, hurting the industry all around. FIDO is an effort by the industry to get ahead of this problem and dream up a replacement to the password system before its too late.

So what is FIDO’s solution? As a consortium of companies, FIDO isn’t interested in coming up with a single alternative to passwords, but rather wants to create a technological framework through which different companies can offer various solutions. While FIDO is agnostic about what method or methods of authentication ultimately replace the password, Barrett explained that the technology exists for devices like computers and smartphones to recognize who you are through your unique physical qualities.

For instance, camera resolution on computers and phones is advanced enough that your computer could verify who you are by scanning your face or eyes. And Barrett expects that within a year smartphones with fingerprint scanners will hit the market. Other examples of authentication methods include touchscreens that can read your signature and voice-recognition software.

If a user has one of these devices, then websites that join the FIDO system can choose which authentication methods to accept. For instance, PayPal might decide to allow users to sign in using voice and face recognition.

But biometric methods aren’t the only way users could decide to sign into websites. They could decide instead to use a combination of a password and physical object like a USB plug that would tell your device that you are who you say you are. This combination of a password and a device that you carry around with you is much safer than a simple password, and would allow the use of easy-to-remember passwords, since the account can’t be hacked unless accompanied by the physical device as well.

Barrett claims that this process of moving away from passwords will take years but says that the technology to do it is available now. It’s just a matter of websites and devices getting together to make it work. He believes it will happen because, in the tech world at least, consumers are pretty good at getting what they want.

If that is true, why is PayPal security so vulnerable, just one simple password. Every bank has a better security system. I like the way that if you try to login from a new device they will send you a one-time code to your cell. That is very safe.

Indians will screw up any software system. Just few days back there was an ATM heist case. What more can happen if the Indian managers in supposedly good companies like Accenture India are busy chalking out plans on how to knock out their US counterparts and be the Godfather of the outsourced. From day one these mangers are planning man-to-man marking on Microsoft Word or Visio and whih of the team member will replace whom from onsite. If well respected companies resort to such aggressive tactics, smaller companies like L&T Infotech send call gurls to client for client ecstasy. It has been caught by its own employees after it sent one lcall girl to Nordea Bank in Copenhagen. All the clamouring about visas and IT outsorcing will vanish in thin air. India is palanning to drag USA by the collar for stopping outsourcing what Indian call as Trade Protecionists measure. Companies like Accenture with their financial msucle and might will make OBAMA stoop and he wil be left with empty words

Indians will screw up any software system. Just few days back there was an ATM heist case. What more can happen if the Indian managers in supposedly good companies like Accenture India are busy chalking out plans on how to knock out their US counterparts and be the Godfather of the outsourced. From day one these mangers are planning man-to-man marking on Microsoft Word or Visio and whih of the team member will replace whom from onsite. If well respected companies resort to such aggressive tactics, smaller companies like L&T Infotech send call gurls to client for client ecstasy. It has been caught by its own employees after it sent one lcall girl to Nordea Bank in Copenhagen. All the clamouring about visas and IT outsorcing will vanish in thin air. India is palanning to drag USA by the collar for stopping outsourcing what Indian call as Trade Protecionists measure. Companies like Accenture with their financial msucle and might will make OBAMA stoop and he wil be left with empty words.

"Nobody, of course, can remember a unique password for the dozens of
sites we each sign into each day, so we end up using the same one over
and over again."

I can remember each and every one for each and every website, because I build the site (in some way) into my passwords.

I use part of a website URL (or company name for the shorter website URL's), a short word, a number and a couple of symbols. Parts are capitalized. The number can be placed in whole or in part throughout the password. All I need to do is remember the order that things are put.

For example, a password for Time.com could be 56TIME&Pascal!23. Let's call the first two numbers my year of birth, the next word the first four letters of the URL or company name (whichever is longer), an ampersand, my short word and my day of birth. I only need to remember that algorithm and I can make a strong, long, hard to crack password that is unique to every site. I can mix and match that algorithm any way I want to by changing the order of the components, or the components themselves. And by changing the algorithm every year or so, and updating my passwords, I make it next to impossible for someone to do a simple crack, even if they learn the old algorithm.

So not only is it possible to create long, hard, secure passwords, it's also extremely easy to create ones that are a snap to remember because you create your own algorithm. Remember one algorithm, and you know all of your passwords at a glance of the site. As long as you don't disclose your specific algorithm to anyone, you're set.

Lotus Notes has this technology since 1989 !!! A small heavily encrypted ID file which contains the user name and associated password. To log on, you need the physical file, and the password. Password was not stored anywhere else, not in a central database. No one has ever broken the Lotus (now IBM) Notes security. The ID File can be on a USB stick.

@DeweySayenoff and how do you remember which short word you used? Which symbols?

Honestly though, I don't see this as much of a problem for sites you use every day, even I could remember that and my memory is terrible. Its the ones that I use once a month or once a year that I can't remember to save my life.